Malware Analysis Report

2024-11-30 11:31

Sample ID 240224-3esxeagf65
Target 2024-02-24_6e68078b1e96379c63e65922d4210193_darkside
SHA256 4cd8104440fb28afb5cadcfbdc529f57f62db479b679117c0c461fdae5796997
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cd8104440fb28afb5cadcfbdc529f57f62db479b679117c0c461fdae5796997

Threat Level: Known bad

The file 2024-02-24_6e68078b1e96379c63e65922d4210193_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (308) files with added filename extension

Renames multiple (620) files with added filename extension

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 23:26

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 23:26

Reported

2024-02-24 23:28

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (308) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\257B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\257B.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd\ = "8jRMgfBxd" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon\ = "C:\\ProgramData\\8jRMgfBxd.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe"

C:\ProgramData\257B.tmp

"C:\ProgramData\257B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\257B.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2204-0-0x0000000002400000-0x0000000002440000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini

MD5 b9a5719152610d7788ea8f0a09ba84ad
SHA1 14ab82380a8394f0b7633e528b744346dcc3fa0f
SHA256 912c81c67bba52b7e6e901fcc9cdccfb6a60b62ad030bbc3453ed523606371c1
SHA512 0a0f85004aeb32b041b066aa3ae56c0bed77178adc36dc64c7360136a16ea8b7d1fbc0d2100ad34ab03b91075fbaae598ba4d40b059a492f2bda76042cc841df

F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\DDDDDDDDDDD

MD5 0a91488c138c5257c7238b8343e18146
SHA1 4dafde5c055771d941f59c8826707232eda0b062
SHA256 7fd105042670b24b82585053fa009f871f8e2dbe1944ed4f4c54d968405376f9
SHA512 0118c6bca57bcfc977c875a1def7ddd17ce6fec8d94a29b73513cfabd71db90e73b5824e254c33ce9d7d83d8d098061773052e5f6a9d3019e747a964e74c57a7

C:\8jRMgfBxd.README.txt

MD5 51b335c54823df668187ee995062b735
SHA1 a4b8386581db0399ad169611c149529318bdff9d
SHA256 618b7b3c2bad1ff254e4bfe6f6fcf95159a60dcb6dea8e2411c9ba3464cb2d3d
SHA512 548da8ad54c398fe74a46784f5ada71ec097f9a4cbd1c2f69fdfbb4b1a00343ddae3f94afca11dc25b662cdd8aa7c165c5d9145c27a90cd3b8c1b9a3e39fbbca

\ProgramData\257B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2816-834-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2816-836-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/2816-839-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2816-840-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f6d70a1d5fb553af6c842992df5c1b88
SHA1 b2d7e3d81ea2cae9fca42938d26e74f13eb920ae
SHA256 b57ba6eb88594dea2624405a62b3090427b0075483588358e1806856bbc27e86
SHA512 e58cdba0596d679af12d28d1bc7c948a7c0257ad1a3b2740e1fc19008785c8aefbecd68c7f31096f3ad967d7c2c5fadba7b3ae2bd0fba86bbcf9b670e1bf4d60

memory/2816-866-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2816-867-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 23:26

Reported

2024-02-24 23:28

Platform

win10v2004-20240221-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (620) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\ProgramData\CD00.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\CD00.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\CD00.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3844919115-497234255-166257750-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3844919115-497234255-166257750-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPt302rt755ytvu5bgxvgu4yazd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP09q19w8yq8q9ef97d9foqjxib.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPapc6j_cibuf585m0yh8wiq8rc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\8jRMgfBxd.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.8jRMgfBxd\ = "8jRMgfBxd" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\8jRMgfBxd\DefaultIcon\ = "C:\\ProgramData\\8jRMgfBxd.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\Windows\splwow64.exe
PID 4320 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\Windows\splwow64.exe
PID 4448 wrote to memory of 3924 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4448 wrote to memory of 3924 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4320 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\ProgramData\CD00.tmp
PID 4320 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\ProgramData\CD00.tmp
PID 4320 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\ProgramData\CD00.tmp
PID 4320 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe C:\ProgramData\CD00.tmp
PID 2800 wrote to memory of 2308 N/A C:\ProgramData\CD00.tmp C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2308 N/A C:\ProgramData\CD00.tmp C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2308 N/A C:\ProgramData\CD00.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_6e68078b1e96379c63e65922d4210193_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F674E787-D356-4AAB-82A1-62404FB219B9}.xps" 133532908029200000

C:\ProgramData\CD00.tmp

"C:\ProgramData\CD00.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\CD00.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4320-0-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4320-1-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4320-2-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3844919115-497234255-166257750-1000\desktop.ini

MD5 1f36b7f2751dd30c0477b7d4b8279250
SHA1 b00aef54fd9ecab3188838eda66c19988913357f
SHA256 cde971bb2af2c3ed56ebb7be90962c77072cdabc2e62310427a20972a4399622
SHA512 40f722cbb4d0311aa9da894a4c4928076c8077fd94927dd649bfcb65389b7398b160ac566f881177e3794978b360d0390e67f699fe78f4410645974985aff23a

F:\$RECYCLE.BIN\S-1-5-21-3844919115-497234255-166257750-1000\DDDDDDDDDDD

MD5 ef58d30def255bc8ba043f27b8edebf1
SHA1 bd3d53a3c868f2a904c62f177c37202b1c60f011
SHA256 9e622af6f34b14557326af289793b941faa21dfe46cf409a2dddbfba78a10431
SHA512 b3218e7d95230cac31d6e852b5d523b7412f2dc895367677d9b7f89380d43067f3a354a878420750fc82a5d269b8edddb2d3940d68bdb168ea32a17e8e232dcb

C:\8jRMgfBxd.README.txt

MD5 5b96c940b37e3323427efac8b8677d9a
SHA1 e6ad8a9652560e805ba5d9ffbec52edd0af284d7
SHA256 f71e75468ac5a2c1a09d0701d2cec913b62d6996ec5b88172466081eeb097a18
SHA512 30758e1469e3f5c19a35ce80d19d5ec831eb82bc443ae43ceed839ebd297b9574141092fdcd387040cbd0492516792c6025af2f3936ca5c8c19781b6642a7d72

memory/4320-2832-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4320-2833-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4320-2834-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/3924-2846-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2845-0x00007FF8C8FF0000-0x00007FF8C9000000-memory.dmp

memory/3924-2847-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2848-0x00007FF8C8FF0000-0x00007FF8C9000000-memory.dmp

memory/3924-2850-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2851-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2854-0x00007FF8C8FF0000-0x00007FF8C9000000-memory.dmp

memory/3924-2852-0x00007FF8C8FF0000-0x00007FF8C9000000-memory.dmp

memory/3924-2855-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2849-0x00007FF8C8FF0000-0x00007FF8C9000000-memory.dmp

memory/3924-2857-0x00007FF908F70000-0x00007FF909165000-memory.dmp

C:\ProgramData\CD00.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3924-2856-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2862-0x00007FF908F70000-0x00007FF909165000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 e00ac3fc5e159b29d00950008d922772
SHA1 67b61fe26da209e4f57afa41d7240e01d6f72a34
SHA256 ec25dc4a343c4744efe89124329de49efacee52932f55136ccd6a2f2d7229eb1
SHA512 d6ef3ff70e5216dd23a4f4cbadd5ee7237a961f94a5063df1d73ce520d4c4b32a707dbabb54d15392f9a6a56304a22264033dbeeaaf60603200d91f0288c3c8d

memory/3924-2891-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2892-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2893-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2894-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2896-0x00007FF8C6B50000-0x00007FF8C6B60000-memory.dmp

memory/2800-2898-0x0000000002550000-0x0000000002560000-memory.dmp

memory/3924-2897-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2895-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/2800-2900-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2800-2899-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3924-2902-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2903-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/3924-2901-0x00007FF8C6B50000-0x00007FF8C6B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{90BAFD64-A67F-412B-8424-2C5BAF3BC222}

MD5 fa753b76eb4c95c2c538283bf795b568
SHA1 3f4983499dbdd151956c7ab94ab2c61b41cc9e50
SHA256 380f8ada73e88af07a68b55489dd3cc8cbf1e844ea61eca79d2fd79e0ba34205
SHA512 30af021b073979f5b0641add838cc411696f8bc74a050e320c20a01724262e5d575b408a8b1109e5aa33624c9a4eca98a5badbc7d20959a4631912c3f7fa502d

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 1d27e8b9ca23a818138e8a1af79849bd
SHA1 f495793d1c96a6471a3700ff41268d3b40fa6c57
SHA256 da808c792e7900e4338837443757b4ac44d9621a405c1afabe892f54b1b2e6c9
SHA512 ba85267265980fb45c828ba62cb21653a350ba4b3c3f200215cef71a19e8681909e2524d485f6fd007dc88cff75ddc4c1c6df638c5e02ccf3f9b6f450611bf89

memory/3924-2922-0x00007FF908F70000-0x00007FF909165000-memory.dmp

memory/2800-2923-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3924-2924-0x00007FF908F70000-0x00007FF909165000-memory.dmp